DDoS attacks cost organizations $40,000 per hour, survey finds

The average distributed denial-of-service (DDoS) attack costs a business roughly $40,000 per hour, according to an Incapsula survey. Since 49 percent of incidents last between six and 24 hours – 86 percent of respondents reported that an average attack lasts 24 hours or less – the average cost associated with a DDoS attack is assessed in the survey at approximately $500,000.

To learn how DDoS attacks impact businesses, Incapsula surveyed 270 North American organizations – 80 percent of which are headquartered in the U.S. – that have anywhere from 250 to 10,000 employees.

Igal Zeifman, product evangelist and researcher at Incapsula, told SCMagazine.com in a Thursday email correspondence that companies stand to lose some or all of their revenue per hour when hit by a DDoS attack. As an example, Zeifman noted that $1 billion in annual revenue amounts to $114,155 per hour, so “every hour a large business operates is worth a lot of money.” And the cost of DDoS attacks goes beyond lost revenue. Organizations that are victims of DDoS attacks incur costs from loss of customers, brand damage, legal fees, and wasted staff time, he added.

In the survey, 52 percent of respondents said they had to replace hardware or software, 50 percent had a virus or malware installed or activated on their network, 43 percent experienced loss of consumer trust, 33 percent acknowledged customer data theft, and 19 percent suffered intellectual property loss – 60 percent reported having two or more of these consequences.

Within the company, 35 percent of those surveyed indicated that IT takes the largest financial hit, but 23 percent named sales, 22 percent named security and risk management, and 12 percent named customer services.

“Sales is hit with responding to angry customers who may leave, or threaten to leave, the business they had contracts with, for example a SaaS vendor or hosting provider with a service level agreement,” Zeifman said. “Sales may also miss its number, for example an online retailer knocked offline on Cyber Monday.”

Additionally, five percent named marketing and public relations, and two percent named legal.

“Marketing often has to communicate with customers and repair their reputation with customers and the market,” Zeifman said. “Legal is involved in negotiations over SLA violation, potential lawsuits, and potentially with regulatory filings in the financial services industry.”

Incapsula indicates in the survey that organizations should be able to respond to DDoS attacks with as few employees as possible.

When asked how many employees in the organization are tasked with mitigating or combating a DDoS attack, 27 percent of respondents said more than 15 staffers, 69 percent said between two and 15 people, and no one said just a single individual. Furthermore, while 43 percent of respondents said their company uses a purpose-built DDoS protection solution, more than half stated that their firm relies on web application firewalls or traditional network firewalls that are vulnerable on their own.

“In general, organizations do not do a good job when it comes to crisis planning,” Zeifman said. “There are often business priorities that take precedence, though the lack of planning may come back to bite them. Just like organizations should have plans to recover from data breaches, they should have plans to recover from DDoS attacks.”

In the survey, 46 percent of respondents indicated that they had received a ransom note from a DDoS attacker, and 45 percent said they had not. 40 percent of those surveyed said they believe the attacker was attempting to flood the company’s network infrastructure to block all connections to its domain, 20 percent believe the attacker was targeting specific applications to block the company’s use, and 33 percent believe both were motivations.

Extortion for profit is one of the primary drivers of DDoS attacks, Zeifman said.

“Extortionist hackers rent botnets for a relatively small amount of money, say $500, and then threaten DDoS attacks on ten to twenty sites, betting that some will pay up,” Zeifman said. “It is effectively DDoS arbitrage.”

Zeifman added that hacktivism and competitive business feuds are other big motivations.

“Hacktivists try to draw attention to their cause or the faults of the organization they are attacking,” Zeifman said. “Their aim is publicity, but the business and its customers suffer. Competitive business feuds are more common in certain competitive and loosely regulated industries like online gambling, multiplayer online games, and bitcoin exchanges. Competitors try and take out a competitor to drive business to their game site, gambling site or exchange.”